While the increasing use of computers and networked computing systems has provided increases in productivity and efficiency, such increasing use of computer and network computer systems also exposes business processes, data, and other aspects to exploitation from malicious actors. These malicious actors may use vulnerabilities in existing software, hardware, or combinations of software and hardware for information exfiltration, insertion of false information or malware, or other operations compromising the integrity of computers and networked computer systems. Although known techniques have been developed to both decrease the number of vulnerabilities and also detect malicious actors, many of these known techniques such as antivirus schemes along with network and system intrusion detection systems require the malicious actor to utilize techniques that have been previously identified. This is because these known techniques rely on detecting the signatures of the behavior of the malicious actor or the signatures of any software being employed by the malicious actor. If a malicious actor uses a previously unknown series of techniques or software, known techniques will typically be unable to detect the malicious actor because a signature for the behavior or software have not yet been completed and distributed.
To help identify the techniques and vulnerabilities exploited by malicious actors, the common vulnerabilities and exposures (CVE) system was created to provide a reference-method for publicly known information-security vulnerabilities and exposures. CVE identifiers are unique identifiers assigned by a CVE Numbering Authority (CNA) so that correspondence, network security databases, and other tools related to the vulnerability may be easily referenced. A typical CVE entry includes a description, a list of URLs and other information related to the issue, and the date the entry was created.
To address this problem, antivirus companies have employed techniques such as heuristic analysis to identify the commands being used by software and determine if these commands are suspicious. These techniques do not, however, consider historical information regarding vulnerabilities to derive predictions from which future vulnerabilities may be prevented. Others have employed intrusion detection and prevention systems (IDPS) to monitor a network or a system for suspicious traffic or intrusions. An IDPS is typically deployed for observing and monitoring a network or system so that problems with security policies and existing threats may be identified. In some deployments, the IDPS notify administrators of important events, and may also deploy countermeasures against the attackers. An IDPS may monitor traffic at an important point within the network or important individual host devices on the network. An IDPS will typically use software signatures along with monitoring for statistical anomalies or violations of rules or policies to identify a possible intrusion. Noise in the sample, such as bad packets generated by a software bug and not an intrusion, may result in false positives from the IDPS. Additionally, the thresholds used for detecting anomalies statistically may become outdated as threats continue to evolve.
The inventors have observed, however, that existing threat information exists in the form of publicly available vulnerability databases, social media posts, discussions on technical forums, and other areas. This corpus of information is not, however, easily considered due to the disparate locations of the various types of information, along with the varying characterizations by multiple interested parties of a particular threat. A need therefore exists for a method of processing existing threat information in a manner that facilitates the generation of a threat level a particular threat.
There is therefore a need for the ability to consider existing or historical vulnerability information and determine the likelihood a new vulnerability may be exploited. This likelihood of exploitation information helps prioritize allocation of the limited available personnel and resources for securing a network or a system.